Systems and methods for verifying remote device proximity in RFID systems

This application claims the benefit of U.S. Provisional Application No. 63/609,003 filed Dec. 12, 2023, entitled “Systems and Methods for Verifying Remote Device Proximity in RFID Systems,” which is incorporated herein by reference in its entirety.

Some automotive key fobs are vulnerable to relay attacks in which attackers relay and amplify radio frequency (RF) signals exchanged between the fob and the corresponding vehicle to obtain unauthorized access to the vehicle. Relay attacks can also be used on other types of systems that rely on authentication using RF signals, such as credit cards that use near-field communication (NFC). It is with respect to this general technical environment that aspects of the present disclosure are directed.

The present application describes a method including: sending, to a remote device, a computational challenge via radio frequency communication; receiving a first response to the computational challenge; dynamically determining a maximum acceptable latency for the first response, where the maximum acceptable latency includes a first duration associated with the remote device generating the first response and a second duration for propagation of the computational challenge and the first response; determining whether the first response satisfies one or more criteria, including a first criterion that is satisfied when the first response was received within the maximum acceptable latency for the first response; identifying an action associated with the remote device; in accordance with a determination that the first response satisfies the one or more criteria, causing the action to be performed; and in accordance with a determination that the first response does not satisfy the one or more criteria, refraining from causing the action to be performed.

In some examples, and in combination with any of the above aspects and examples, the method further includes receiving a first action request from the remote device, where the first action is identified based on the first action request.

In some examples, and in combination with any of the above aspects and examples, the first action is identified based on the first response.

In some examples, and in combination with any of the above aspects and examples, the one or more criteria include a second criterion that is satisfied when the first response was received after a minimum acceptable latency corresponding to the first duration for solving the computational challenge.

In some examples, and in combination with any of the above aspects and examples, the one or more criteria include a third criterion that is satisfied when the first response is successfully authenticated.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes determining the second duration based on context information.

In some examples, and in combination with any of the above aspects and examples, the context information includes a location of an electronic device associated with a registered user, a time of day, a calendar entry associated with the registered user, a usage pattern associated with the remote device, or a combination of these.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes dynamically determining the second duration based on a configuration setting of a maximum acceptable distance between a terminal and the remote device.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes selecting the second duration based on a current time of day.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes retrieving the maximum acceptable latency, the first duration, the second duration, or a combination of these from a storage element.

In some examples, and in combination with any of the above aspects and examples, the method further includes: sending, to the remote device, a second computational challenge via radio frequency communication; receiving a second response to the second computational challenge; dynamically determining a maximum acceptable latency for the second response, where the maximum acceptable latency for the second response is different from the maximum acceptable latency for the first response; determining whether the second response satisfies the one or more second criteria, including a criterion that is satisfied when the second response is received within the maximum acceptable latency for the second response; identifying a second action associated with the remote device; in accordance with a determination that the second response satisfies the one or more second criteria, causing the second action to be performed; and in accordance with a determination that the second response does not satisfy the one or more second criteria, refraining from causing the second action to be performed.

In other aspects, the present application describes a system that includes: at least one processor; and memory, operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to perform a method. In examples, the method includes: sending, to a remote device, a computational challenge via radio frequency communication; receiving a first response to the computational challenge; dynamically determining a maximum acceptable latency for the first response, wherein the maximum acceptable latency for the first response comprises a first duration associated with the remote device generating the first response and a second duration for propagation of the computational challenge and the first response; determining whether the first response satisfies one or more criteria, including a first criterion that is satisfied when the first response was received within the maximum acceptable latency for the first response; identifying a first action associated with the remote device; in accordance with a determination that the first response satisfies the one or more criteria, causing the first action to be performed; and in accordance with a determination that the first response does not satisfy the one or more criteria, refraining from causing the first action to be performed.

In some examples, and in combination with any of the above aspects and examples, the method further includes receiving a first action request from the remote device, where the first action is identified based on the first action request.

In some examples, and in combination with any of the above aspects and examples, the first action is identified based on the first response.

In some examples, and in combination with any of the above aspects and examples, the one or more criteria include a second criterion that is satisfied when the first response was received after a minimum acceptable latency corresponding to the first duration for solving the computational challenge.

In some examples, and in combination with any of the above aspects and examples, the one or more criteria include a third criterion that is satisfied when the first response is successfully authenticated.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes determining the second duration based on context information.

In some examples, and in combination with any of the above aspects and examples, the context information includes a location of an electronic device associated with a registered user, a time of day, a calendar entry associated with the registered user, a usage pattern associated with the remote device, or a combination of these.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes dynamically determining the second duration based on a configuration setting of a maximum acceptable distance between a terminal and the remote device.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes selecting the second duration based on a current time of day.

In some examples, and in combination with any of the above aspects and examples, dynamically determining the maximum acceptable latency for the first response includes retrieving the maximum acceptable latency, the first duration, the second duration, or a combination of these from a storage element.

In some examples, and in combination with any of the above aspects and examples, the method further includes: sending, to the remote device, a second computational challenge via radio frequency communication; receiving a second response to the second computational challenge; dynamically determining a maximum acceptable latency for the second response, where the maximum acceptable latency for the second response is different from the maximum acceptable latency for the first response; determining whether the second response satisfies one or more second criteria, including a criterion that is satisfied when the second response was received within the maximum acceptable latency for the second response; identifying a second action associated with the remote device; in accordance with a determination that the second response satisfies the one or more second criteria, causing the second action to be performed; and in accordance with a determination that the second response does not satisfy the one or more second criteria, refraining from causing the second action to be performed.

In other aspects, the present application describes a method including: sending, to a remote device, a computational challenge via radio frequency communication; receiving a response to the computational challenge; dynamically determining a maximum acceptable latency for the response based on context information; determining whether the response satisfies one or more criteria, including a first criterion that is satisfied when the response was received within the maximum acceptable latency; identifying an action associated with the remote device; in accordance with a determination that the response satisfies the one or more criteria, causing the action to be performed; and in accordance with a determination that the response does not satisfy the one or more criteria, refraining from causing the action to be performed.

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

Vehicles with electronic key fobs typically rely on radio frequency identification (RFID) to ensure that a particular fob only works with a particular vehicle. Some key fobs are vulnerable to relay attacks, however, in which one or more attackers (typically two) relay and amplify RF signals exchanged between the fob and the corresponding vehicle to obtain unauthorized control of the vehicle.

depicts an example of an RFID-based system that includes a remote deviceand a terminal. The terminalmay be, for example, a computing system in a vehicle that is configured to exchange RF signals with the remote device, which may be a key fob. The terminaland remote deviceeach includes an RF antenna for exchanging RF signals, along with processing circuitry to generate and process such signals. For example, a terminalof a vehicle may periodically transmit a query signal to determine whether a remote deviceis within range (e.g., close enough to the vehicle to receive the transmitted query signal and respond). In some cases, if the terminalreceives a response from the remote device, the terminalperforms an authentication procedure to determine whether the remote deviceis authorized to communicate with the terminal. For example, the terminalmay determine whether a signal received from the remote deviceincludes appropriate authentication information (such as by including a code that is matched to a corresponding code stored at the terminalor using another authentication approach). In some cases, the terminaltransmits a computational challenge to the remote device(e.g., a seed value for a hash function or another value that may be used by the remote deviceto generate (e.g., compute) a response using an algorithm stored on the remote device. If the remote deviceresponds with an appropriate response, the terminalauthenticates the remote device. In some cases, a terminalmay perform an action at least in part in response to receiving an authenticated signal from a remote device. For example, a vehicle may automatically unlock its doors at least in part in response to detecting an authenticated signal from a key fob.

In some cases, a remote devicetransmits signals to a terminalwithout an explicit user input; for example, a key fob may automatically (without user input) transmit a response signal to a vehicle in response to receiving a query signal (or challenge) from the vehicle, and the vehicle may, in turn, authenticate the response signal and unlock the doors of the vehicle in response to receiving an authenticated signal from the key fob. In this manner, the vehicle may automatically unlock its doors (or allow them to be unlocked using a physical button on the vehicle, for example) when it detects that an authenticated key fob is nearby.

Such RFID-based systems may be vulnerable to malicious relay attacks, however, such as depicted in. In a relay attack, a first relay system(e.g., an electronic system carried by a first attacker) may be positioned in close proximity to the remote deviceand a second relay system(e.g., an electronic system carried by a second attacker) may be positioned close to the terminal. RF signals transmitted by the terminalmay be captured, amplified, and relayed to the remote deviceusing the first relay systemand second relay system, and vice versa. In this case, the terminalmay mistakenly determine (based on relayed signals) that the remote deviceis in close proximity to the terminaleven when the remote deviceis relatively far away. For example, a vehicle may mistakenly determine that a key fob is nearby when the key fob is not nearby, and the vehicle may respond by unlocking its doors (or taking some other action, such as starting its engine), allowing an attacker to gain access to the vehicle. Such communications may occur between the remote deviceand the terminal(via the relay systems) without a user of the remote devicebeing aware that they are occurring.

Other types of remote device/terminal combinations may be susceptible to such attacks. For example, similar relay attacks can be used to relay signals between a payment terminal and an RFID-equipped payment card (e.g., a credit card that uses near-field RF signals to provide payment information to a payment terminal).

As described herein, systems and methods for preventing relay attacks in RFID systems can be used to determine whether a remote device (such as a key fob or credit card) is in close physical proximity to a terminal (such as a terminal in a vehicle or a payment terminal) based on a configurable maximum acceptable latency for communications between the terminal and the remote device.

In some examples, the remote device is provided with (e.g., programmed with) an algorithm that can be used by the remote device to generate a response to a computational challenge that is received from a terminal. In some examples, an amount of time required by the remote device to generate a response (e.g., a time duration required by the remote device to perform the algorithm) is determined (e.g., by the remote device itself, by the terminal, or by another computing device) and provided to the terminal. The time duration required by the remote device to compute the response may vary between remote devices and may be based on the specific computational circuitry included in the remote device. Thus, this time duration may be device specific.

In some examples, the terminal can determine a distance of the remote device from the terminal (e.g., a proximity) based on a latency between when the terminal transmits a challenge and when the terminal receives a response. This latency includes a computational latency required by the remote device to compute a response to the challenge (a latency which is known to the terminal) plus the round-trip communication latency (e.g., a latency that includes a time duration associated with the challenge being propagated to the remote device and a time duration associated with the response being propagated from the remote device to the terminal). For example, the terminal can determine the distance of the remote device from the terminal by determining (e.g., measuring) the total latency between transmitting a challenge and receiving a response, subtracting the computational latency to determine the communication latency, and using the communication latency to determine the distance of the remote device based on known or estimated RF signal propagation speeds.

Conversely, given a maximum acceptable distance between the remote device and the terminal, a maximum acceptable latency can be determined. In some examples, the maximum acceptable latency corresponds to an expected latency when the remote device is physically located at a threshold distance (e.g., a maximum acceptable distance) from the terminal. In some examples, if the measured latency is within (e.g., less than or equal to) the maximum acceptable latency, the remote device is determined, by the terminal, to be within the maximum acceptable distance, indicating that signals received from the remote device are unlikely to be attacker-relayed signals (which would have longer communication latencies).

In some examples, if the terminal receives a response within the maximum acceptable latency (and if the response is successfully authenticated), the terminal performs an action associated with the remote device. In some examples, if the terminal does not receive a response within the maximum acceptable latency (e.g., the latency of the response exceeds the maximum acceptable latency), the terminal refrains from performing the action.

In some examples, the maximum acceptable latency is a constant value that is based on a constant maximum acceptable distance. For example, the maximum acceptable latency may be calculated based on having a constant maximum acceptable distance of five feet, such that the terminal does not respond to action requests received from the remote device if the terminal determines that the remote device is more than five feet away.

In some examples, the maximum acceptable latency is configurable. For example, a user of the terminal can configure the maximum acceptable latency (e.g., based on a maximum acceptable distance) via a configuration setting that is provided to the terminal.

In some examples, the maximum acceptable latency is a variable whose value varies over time and is dynamically determined, by the terminal or by another computing device that is configured to communicate with the terminal, based on context information that may be correlated with a likelihood of unauthorized access attempts. For example, the maximum acceptable latency may be determined to be a first value (e.g., corresponding to a distance of 10 feet) from 5 am to 11 pm and a second value (e.g., corresponding to a distance of 3 feet) from 11 pm to 5 am, reflecting a higher likelihood of unauthorized access attempts at night. In some examples, an artificial intelligence and/or machine learning system may determine the maximum acceptable latency based on other context information, such as usage patterns associated with the remote device and/or other behavior patterns associated with a user of the remote device. In some examples, the maximum acceptable latency is determined dynamically in response to a request by the terminal, such as depicted in.

In the following detailed description, references are made to the accompanying drawings that form a part hereof, and in which are shown by way of illustrations specific embodiments or examples. These aspects may be combined, other aspects may be utilized, and structural changes may be made without departing from the present disclosure. Examples may be practiced as methods, systems, or devices. Accordingly, examples may take the form of a hardware implementation, an entirely software implementation, or an implementation combining software and hardware aspects. In addition, all systems described with respect to the figures can comprise one or more machines or devices that are operatively connected to cooperate in order to provide the described system functionality. The following detailed description is therefore not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims and their equivalents.

Additional details regarding methods and systems that can be used to implement aspects of the above-described features is described with reference to.

depicts a swim-lane diagram showing example communications between a terminal, a remote device, and a maximum acceptable latency determination system. In some examples, the maximum acceptable latency determination systemis included in the terminal. In some examples, the maximum acceptable latency determination systemis external to the terminaland is configured to communicate with the terminal. In some examples, the maximum acceptable latency determination systemincludes a computing device for determining the maximum acceptable latency, such as computing devicedepicted in.

At operation, the terminalrequests a maximum acceptable latency value from the maximum acceptable latency determination system. For example, the terminalmay request the value in preparation for sending a challenge to the remote device, at initialization or startup, or at another time.

In some examples, in response to receiving the request from the terminal, the maximum acceptable latency determination systemdetermines, at operation, a maximum acceptable latency between a time at which the terminaltransmits a challenge to a remote deviceand the time at which the terminalreceives a response from the remote device.

The maximum acceptable latency determination systemmay determine the maximum acceptable latency based on a variety of context information obtained from internal and/or external sources, such as described with reference to. The maximum acceptable latency determination systemmay dynamically determine the maximum acceptable latency based on a probability of legitimate usage of the remote device. For example, the maximum acceptable latency determination systemmay determine that there is a low probability of the user legitimately using the remote device based on context information indicating that it is 4:00 a.m.; that the user's phone is in a different city than the terminal (e.g., as indicated by the phone's GPS location and the terminal's current GPS location) along with historical context information for the remote device indicates that the user's phone is typically located near the remote device when a legitimate response is received from the remote device; that historic context information for the remote deviceindicates that the user very rarely uses the vehicle at this time of day; and/or that the user's home security system has not detected any motion within the user's home. A person of skill in the art will appreciate that there are many potential indications of the probability of legitimate usage of the remote device based on various types of context information and combinations of such context information.

In some examples, the maximum acceptable latency determination systemsets the maximum acceptable latency to a relatively low value (representing a relatively small acceptable distance between the remote deviceand the terminal, such as 0, 1, 2, 5, 10, or 15 feet) based on a determination that there is a low probability of legitimate usage of the remote device. In some examples, in response to a determination that there is a low probability of legitimate usage of the remote device, the maximum acceptable latency determination systemsets the maximum acceptable latency to zero or to a value that requires the remote deviceto be located inside the vehicle, thereby essentially disabling actions that the terminal would otherwise cause to be performed based on the proximity of the remote deviceoutside of the vehicle. In this case, a user may still be able to use other features that are initiated at the remote device, such as by pressing an unlock button.

At operation, the maximum acceptable latency determination systemprovides the maximum acceptable latency (e.g., the latency determined at operation) to the terminal.

At operation, the terminaltransmits a computational challenge to the remote device. The computational challenge may include a value for use in an algorithm stored on the remote device, for example. In some examples, operations,,could be performed following the issuance of the computational challenge at operation.

At operation, the remote device generates a response to the computational challenge, such as by using a value received in the computational challenge to compute a response using an algorithm stored on the remote device.

At operation, the remote device transmits the response to the terminal, which is received by the terminalat operation.